TCP Port 12001 for ISE node replication

aravikumar · ‎10-01-2019

Hello,

While registering the secondary admin node to Primary admin node, the node registration is failing after few hours of syncing. We reached TAC and they found that the secondary node is not able to connect to primary node on TCP port 12001 after syncing. Is TCP port 12001 allowed by default in the ISE nodes? Because there is no firewall in between these two nodes. Any help would be appreciated.

Thanks,

Aravind

Colby LeMaire · ‎10-01-2019

There is nothing you have to do when registering a secondary node other than click the button and put the credentials in. Assuming your proper CA certificates are installed on both nodes and they trust each other. You should not have to mess with any ports or anything like that. Double check the network to make sure it isn't being blocked or that the network is stable and packets aren't being dropped. Other than that, continue to work with TAC towards resolution.

Damien Miller · ‎10-01-2019

Yes TCP 12001 is allowed by default in a deployment. If you go to the CLI of your primary admin node you can run "tech netstat | inc 12001" and you should see an established connection for every node in the deployment including the PAN to itself on two lines.

ex. from a four node lab primary PAN cli where .109 is the primary PAN
ise1/admin# tech netstat | inc 12001
tcp6 0 0 192.168.1.9:12001 :::* LISTEN 10883/jsvc.exec
tcp6 0 0 192.168.1.9:12001 192.168.1.9:43860 ESTABLISHED 10883/jsvc.exec
tcp6 0 0 192.168.1.9:12001 192.168.1.11:60288 ESTABLISHED 10883/jsvc.exec
tcp6 0 0 192.168.1.9:12001 192.168.1.12:37926 ESTABLISHED 10883/jsvc.exec
tcp6 0 0 192.168.1.9:12001 192.168.1.10:24647 ESTABLISHED 10883/jsvc.exec
tcp6 0 0 192.168.1.9:43860 192.168.1.9:12001 ESTABLISHED 10883/jsvc.exec

Nothing in line? load balancers?